Polymarket dismisses 'nonsense' claims of data breach by dark web seller

Polymarket has dismissed claims of a massive data breach by a dark web seller, calling the reports “nonsense.” The threat actor using the handle “xorcat” claimed to have leaked a database affecting over 300K records and an Exploit Kit, containing roughly 1GB of records (names, pseudonyms, and wallet addresses).

The attacker, who claimed to leak Polymarket’s data on a popular cybercrime forum, explained that the data was extracted via undocumented API endpoints, a pagination bypass, and a CORS misconfiguration in Polymarket’s Gamma and CLOB APIs. The pack also included an auto-dump script and working POCs for multiple CVEs.

Specifically, the pulled data included 10,000 unique user profiles with full PII (name, pseudonym, bio, profile image, proxy wallet, and base address), and over 4,111 comments with attached profile objects.

The attacker also provided proof-of-concept scripts and alleged that the data included 1,000 report records containing 58 unique ETH addresses and an admin_auth_addr indicator, as well as over 48,000 gamma markets with full metadata, condition IDs, and token IDs. 

Additionally, there were over 250,000 active CLOB markets with FPMM addresses, and over 292 events with submitter/resolver ETH addresses and internal usernames. The leak also included 100 reward configurations with USDC contract addresses and daily rates, 9,000 follower profiles (with names, pseudonyms, and proxy wallets), and internal user IDs exposed in createdBy/updatedBy fields.

Polymarket breach poses a national security threat

Polymarket is at the center of a major integrity scandal that poses a different kind of breach–one of national security status. The DOJ and the CFTC are using the recent breach as a primary example of why prediction markets need stricter oversight, arguing that they can incentivize the leakage of classified intelligence for profit. That exposes traders–including high-profile political figures–to targeted phishing or harassment. 

These claims follow a pattern of confirmed cybersecurity failures that have shaken user confidence over the past six months. Attackers in the February 2026 API/Bot manipulation exploited a design flaw in Polymarket’s order system, and engineered “nonces” to cancel on-chain trades while keeping off-chain records valid. That caused bots to incur massive losses based on erroneous API reports.

Polymarket also confirmed another third-party authentication breach in December 2025. The breach was linked to a vulnerability in a third-party login tool (reportedly Magic Labs), which allowed attackers to drain funds even from accounts with 2FA enabled. Another phishing attack in November 2025 on Polymarket’s comment section led to over $500,000 in user losses.

Regulators shift to active prohibition as prediction market volume grows

Regulators are shifting from passive observation to active prohibition as prediction markets grow in volume. The Brazilian government blocked 27 platforms in April 2026 (including Kalshi and Polymarket), citing concerns over household debt and consumer protection.

Authorities in Romania and Portugal also blocked specific political contracts recently to prevent speculative betting on elections. 

Meanwhile, Polymarket has adopted more stringent internal rules as of March 2026. The rules explicitly bar trades based on stolen information or “insider” knowledge of geopolitical events. Polymarket also entered into a Regulatory Services Agreement with the National Futures Association (NFA) to implement real-time surveillance. The move signaled a shift toward mainstream financial compliance. 

Regulators have also closely examined high-profile trades, such as the $32,000 bet on the capture of Nicolás Maduro, which yielded a $436,000 profit just before official news broke in January 2026. The White House and various agencies have since warned against trading on non-public information related to geopolitical conflicts, such as the U.S.-Iran war. 

On the other hand, Bernstein analyst Gautam Chhugani expects increased regulatory clarity at the federal level to boost the growth of prediction markets. He estimates that total prediction market volume will reach $240 billion in 2026 (+370% from last year).

Chhugani also projects that the prediction market trading volume will reach $1 trillion a year by the start of the next decade at a compound annual growth rate of roughly 80% between 2025 and 2030. The makeup of traded contracts is also likely to change.

If you're reading this, you’re already ahead. Stay there with our newsletter.